Elasticsearch7 builds a cluster and configures node certificates | handsome uncle's blog
The stand-alone version is relatively simple. Try the cluster version, which has limited resources. The example in this article: a host starts with different ports to build a cluster.
Environment description:
- Centos7
- Elasticsearch7.9.0
Prepare to build 3 nodes
1. Download the ES installation package
Go to the official website to download
- Download address: Download Elasticsearch | Elastic
- Historical version: https://www.elastic.co/cn/downloads/past-releases#elasticsearch
- Version 7.9.0: Elasticsearch 7.9.0 | Elastic
Choose the download Linux x86_64
type of version 7.9.0. If you don’t understand the difference between x86_64 and AARCHS, please do some popular science.
Execute the Shell command process:
# download wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.9.0-linux-x86_64.tar.gz # unzip tar -zxvf elasticsearch-7.9.0-linux-x86_64.tar.gz # After decompression, generate a folder named: elasticsearch-7.9.0 # For the convenience of management, create a new folder: elasticsearch-cluster mkdir elasticsearch-cluster # Copy 3 copies of elasticsearch-7.9.0 to elasticsearch-cluster and rename cp -r elasticsearch-7.9.0 elasticsearch-cluster/elasticsearch-9301 cp -r elasticsearch-7.9.0 elasticsearch-cluster/elasticsearch-9302 cp -r elasticsearch-7.9.0 elasticsearch-cluster/elasticsearch-9303 |
Looking at the files I copied, I know that I plan to start 3 nodes, and the startup ports are: 9301, 9302, 9303
2. Modify the configuration file of the node
Explanation of common configuration files
# cluster name cluster.name: mtSearch # Node name, cannot be the same node.name: mtNode1 # Whether it is the master node node.master: true # Whether it is a data node node.data: true # log path path.logs: /opt/elasticsearch-cluster/logs # Lock the physical memory address to prevent elasticsearch memory from being swapped out, that is, to avoid es using swap to swap partitions # If bootstrap.memory_lock is true, remember to modify /etc/security/limits.conf to add memlock configuration, comment it first bootstrap.memory_lock: true # map ip network.host: 172.16.1.236 # http request port http.port: 9200 # Set the tcp port for interaction between nodes, the default is 9300. transport.tcp.port: 9300 # Set whether to compress the data during tcp transmission, the default is false, no compression. transport.tcp.compress: true # Cluster seed host address, if it is before the 7.* version, you can use the discovery.zen.ping.unicast.hosts parameter. This is also compatible with the 7 version, but it may be deleted later discovery.seed_hosts: ["172.16.1.236:9300","172.16.1.236:9301","172.16.1.236:9302"] # To prevent split-brain, how many nodes are needed to elect a Master (the minimum number of candidate nodes), generally set to N/2 + 1 (N is the number of nodes in the cluster) discovery.zen.minimum_master_nodes: 2 # Used to get the address of the seed node that started the discovery process. By default, it is based on the setting of the seed host provider, which is the above seed address, # There is also a file-based one, which needs to create a new unicast_hosts.txt file in the installation directory discovery.seed_providers: file # If you do not configure the options of discovery.seed_hosts and discovery.seed_providers, the configuration of cluster.initial_master_nodes will be used for master node election. # If the above two configurations are configured, the configuration of cluster.initial_master_nodes will not take effect. # What the official document says: https://www.elastic.co/guide/en/elasticsearch/reference/7.9/modules-discovery-bootstrap-cluster.html#_auto_bootstrapping_in_development_mode cluster.initial_master_nodes: ["mtNode1", "mtNode2", "mtNode3"] # Restart only restores data if there is so much data or the master node has joined the cluster gateway.recover_after_nodes: 2 # Cross domain issues http.cors.enabled: true http.cors.allow-origin: "*" |
1. Configuration files for each node
The configuration of each node is not the same
9301 node configuration
cluster.name: mtSearch node.name: mtNode1 node.master: true node.data: true path.logs: /opt/elasticsearch-cluster/logs network.host: 172.16.1.236 http.port: 9201 transport.tcp.port: 9301 transport.tcp.compress: true discovery.seed_hosts: ["172.16.1.236:9300","172.16.1.236:9301","172.16.1.236:9302"] cluster.initial_master_nodes: ["mtNode1","mtNode2","mtNode3"] gateway.recover_after_nodes: 2 http.cors.enabled: true http.cors.allow-origin: "*" |
9302 node configuration
cluster.name: mtSearch node.name: mtNode2 node.master: true node.data: true path.logs: /opt/elasticsearch-cluster/logs network.host: 172.16.1.236 http.port: 9202 transport.tcp.port: 9302 transport.tcp.compress: true discovery.seed_hosts: ["172.16.1.236:9300","172.16.1.236:9301","172.16.1.236:9302"] cluster.initial_master_nodes: ["mtNode1","mtNode2","mtNode3"] gateway.recover_after_nodes: 2 http.cors.enabled: true http.cors.allow-origin: "*" |
9303 node configuration
cluster.name: mtSearch node.name: mtNode3 node.master: true node.data: true path.logs: /opt/elasticsearch-cluster/logs network.host: 172.16.1.236 http.port: 9203 transport.tcp.port: 9303 transport.tcp.compress: true discovery.seed_hosts: ["172.16.1.236:9300","172.16.1.236:9301","172.16.1.236:9302"] cluster.initial_master_nodes: ["mtNode1","mtNode2","mtNode3"] gateway.recover_after_nodes: 2 http.cors.enabled: true http.cors.allow-origin: "*" |
After all configurations are completed, start the three nodes respectively, and you can see that the cluster connection is successful without any accident.
/opt/elasticsearch-cluster/elasticsearch-9301/elasticsearch -d /opt/elasticsearch-cluster/elasticsearch-9302/elasticsearch -d /opt/elasticsearch-cluster/elasticsearch-9303/elasticsearch -d |
启动成功,如下图:
如果你之前没安装过,可能会报错:像root用户运行呀,线程不够呀,内存不足呀等等问题
可以看本文最后面的踩坑笔记
集群确实是搞定了,但是没配置账号密码,集群中各节点之间的通信是也没有什么校验措施的,别人随随便便就连上集群。这样在互联网中就相当于裸奔!
三、配置证书
TLS需要X.509证书才能对与之通信的应用程序执行加密和身份验证。为了使节点之间的通信真正安全,必须对证书进行验证。在Elasticsearch集群中验证证书真实性的推荐方法是信任签署证书的证书颁发机构(CA)。这样,将节点添加到群集时,它们只需要使用由同一CA签名的证书,即可自动允许该节点加入群集。
1、生成节点证书
命令 elasticsearch-certutil
简化了生成证书的过程,它负责生成CA并与CA签署证书。
a、创建证书颁发机构CA
随便进入一个节点的bin 目录下执行elasticsearch-certutil
命令即可,如下
# 该命令输出单个文件,默认名称为elastic-stack-ca.p12。此文件是PKCS#12密钥库 # 其中包含CA的公共证书和用于对每个节点的证书签名的私钥。 bin/elasticsearch-certutil ca |
执行这个命令之后:
- 会让你输入生成
elastic-stack-ca.p12
文件放在哪。(直接回车,放在当前目录) - 回车之后让你输入密码,该密码是让你保护文件和密钥的。如果你以后还要加集群的话,要记得输入的密码。
b、生成证书和私钥
# 此命令生成证书凭证,输出的文件是单个PKCS#12密钥库,其中包括节点证书,节点密钥和CA证书。 bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12 |
执行命令之后需要你操作3次:
- 第一次,输入上面生成CA的密码,没有设置直接回车
- 第二次,生成的文件路径,直接回车
- 第三次,生成这次证书与私钥文件的密码,建议和上面生成CA一致(怕忘记密码,也可以直接回车)
如下图需要输入密码的地方:
命令执行完之后会生成一个elastic-certificates.p12
文件,这个就是各节点通信的凭证
只需要一个节点生成凭证即可。
2、配置证书
复制证书凭证
把证书凭证复制到各个节点一份
# 复制证书凭证到各个节点 cp elastic-certificates.p12 /opt/elasticsearch-cluster/elasticsearch-9301/config/ cp elastic-certificates.p12 /opt/elasticsearch-cluster/elasticsearch-9302/config/ cp elastic-certificates.p12 /opt/elasticsearch-cluster/elasticsearch-9303/config/ |
修改配置文件
在各个节点下的elasticsearch.yml
文件添加如下配置
xpack.security.enabled: true xpack.security.authc.accept_default_password: true xpack.security.transport.ssl.enabled: true xpack.security.transport.ssl.verification_mode: certificate xpack.security.transport.ssl.keystore.path: /opt/elasticsearch-cluster/elasticsearch-9301/config/elastic-certificates.p12 xpack.security.transport.ssl.truststore.path: /opt/elasticsearch-cluster/elasticsearch-9301/config/elastic-certificates.p12 |
要注意的是上面的path
记得改成对应节点config下的elastic-certificates.p12
。
添加密码到密码库
因为之前生成CA 和生成凭证都设置了密码,所以把密码添加到密钥库中
# 执行之后 输入上面设置的密码,回车即可 elasticsearch-9301/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password elasticsearch-9301/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password # 每个节点都要加 elasticsearch-9302/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password elasticsearch-9302/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password # 每个节点都要加 elasticsearch-9303/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password elasticsearch-9303/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password |
图片上有个警告大概的意思是说:ES未来将使用JDK11,而我现在的环境还是JDK8
之后启动各个节点
elasticsearch-9301/bin/elasticsearch -d elasticsearch-9302/bin/elasticsearch -d elasticsearch-9303/bin/elasticsearch -d |
可以看看日志,不出意外集群启动成功了。随便请求一个节点地址:http://172.16.1.236:9201/
也可以使用elasticsearch-head连接查看,但是需要账户和密码访问
有的同学就要问了,我都没设置账号密码,去哪里看呢?
在安装Elasticsearch时,如果内置用户elastic
用户没有密码,它将使用默认的引导密码。引导程序密码是一个临时密码,从随机 keystore.seed
设置派生的会在安装过程中添加到密钥库中。我们压根不知道密码是啥,所以需要为内置用户elastic
设置密码。首次设置可以用elasticsearch-setup-passwords
命令
Tip:下面的方法,我没试过,我没试过、我没试过,但是文档有,就提一下。
可以使用ES 提供的secure API重新加载为内置用户设置密码:
# 参考链接:https://www.elastic.co/guide/en/elasticsearch/reference/7.9/secure-settings.html#reloadable-secure-settings POST _nodes/reload_secure_settings { "secure_settings_password": "yourPassword" }
3、配置密码
elasticsearch-setup-passwords
工具是首次设置内置用户密码的最简单方法。它使用elastic用户的引导程序密码来运行用户管理API请求。
执行命令如下:
bin/elasticsearch-setup-passwords interactive |
它在“互动”模式下提示你输入:elastic
,kibana_system
,logstash_system
,beats_system
,apm_system
,和remote_monitoring_user
用户的密码
只需要在任意节点的bin目录下执行即可,不需要每个节点都执行。
至此ES集群的账号跟密码就设置完成了
我们设置密码之后会有一个名为.security-7
的索引文档。
之后可以修改密码:
# 随便一个节点地址修改即可,一个集群共用一个账号密码 # 用Postman 请求时,选择 Authorization -> 选择 Basic Auth -> 右边选择上面设置的账号密码:elastic用户与密码 POST http://172.16.1.236:9201/_xpack/security/user/elastic/_password { "password": "yourNewPassword" } |
4、踩坑记录
1、安装可能报错的问题:
查看文章链接:ES安装问题集锦
2、修改运行ES的Java环境
When starting ES7.9.0
, it will prompt: future versions of Elasticsearch will require Java 11; your Java version from [/usr/local/jdk1.8.0/jre] does not meet this requirement
That is to say, the future version of ES needs JDK11, and my current environment is that JDK8 does not meet the requirements. My package comes with JDK, so I simply specify the automatic JDK as the ES JDK operating environment:
modify the bin/elasticsearch file under the 3 nodes, and add the following at the front:
# Change the following path to the path of jdk under your es node export JAVA_HOME=/opt/elasticsearch-cluster/elasticsearch-9301/jdk export PATH=$JAVA_HOME/bin:$PATH |
It can be started without modification, but it is recommended to change it. After all, the official package comes with it, so it is definitely recommended that we use the new version.
3. elastic-certificates.p12
Step on the file location
- Because I am just a host, I plan to save this certificate in another
elasticsearch-cluster
folderconfig
, but it is not satisfactory - A file permission problem was reported at startup. The error is as follows
- It may be
chmod 777 elastic-certificates.p12
accessible, I haven't tried it, but it is still recommended to put it in the respective installation directory.